[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] signatures and checking
From: |
Andrew Suffield |
Subject: |
Re: [Gnu-arch-users] signatures and checking |
Date: |
Tue, 27 Jan 2004 02:08:49 +0000 |
User-agent: |
Mutt/1.5.5.1+cvs20040105i |
On Mon, Jan 26, 2004 at 04:58:51PM -0800, Tom Lord wrote:
> So I'm back to thinking that the right short term fix for the security
> issue is just to provide, say, an awk script that users can use
> instead of calling gpg (or agpg or whatever) directly in their .check
> files.
What do you think this script should do?
The only way it can possibly work that I can see, is to reimplement
the packet parser from gpg. That's hard; I looked at the code and it's
extremely complicated. There are heaps of things that gpg will
consider valid signed data; the clearsigned openpgp message that we're
currently using are a tiny subset of the range of things that gpg can
handle.
The only "easy" solutions require the signature check script to tell
tla what the signed data is. Anything that's based on tla guessing
(like "all lines beginning with a hash type I recognise") is going to
be difficult to write correct check scripts for - you have to scan the
checksum file and make sure there's nothing that tla could match that
is not within a signed region.
> And the right long-term fix is to ask for a new option in gpg.
Again, to do what? I already tried this, and couldn't come up with
anything that made sense other than "emit the signed data to stdout".
As far as I can tell, gpg already does everything that it can do to
help us here.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
signature.asc
Description: Digital signature
- [Gnu-arch-users] Re: signatures and checking, (continued)
- [Gnu-arch-users] Re: signatures and checking, Samuel Tardieu, 2004/01/26
- [Gnu-arch-users] Re: signatures and checking, Miles Bader, 2004/01/26
- [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/26
- [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/26
- Re: [Gnu-arch-users] Re: signatures and checking, Andrew Suffield, 2004/01/26
- Re: [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/26
- Re: [Gnu-arch-users] Re: signatures and checking, Robert Collins, 2004/01/27
- Re: [Gnu-arch-users] Re: signatures and checking, Tom Lord, 2004/01/27
- [Gnu-arch-users] Re: signatures and checking, Neil Stevens, 2004/01/26
Re: [Gnu-arch-users] signatures and checking,
Andrew Suffield <=
Re: [Gnu-arch-users] signatures and checking, Robert Collins, 2004/01/27
Re: [Gnu-arch-users] signatures and checking, Johannes Berg, 2004/01/27
Re: [Gnu-arch-users] signatures and checking, Johannes Berg, 2004/01/27
Re: [Gnu-arch-users] signatures and checking, Johannes Berg, 2004/01/27